From October 23-26, payment, financial, and financial technology executives and companies will convene at Money 20/20 to discuss the latest innovations in payments and commerce and how consumers and businesses are leveraging them for a better experience. I’m looking forward to this event for a couple reasons: First, it provides an opportunity for connecting with my payment security peers as well as current and new technology partners. It’s also an exciting time for those of us involved in this continuously evolving ecosystem to convene. As my colleague Peter Galvin noted, we’re seeing a rise in the use of digital payments. In fact, Worldpay predicts eWallets will overtake credit cards as the most popular form of payment by 2019. Forrester Research also estimates in-person mobile payments by U.S. consumers will reach $34 billion by the end of 2019, up from $3.7 billion last year. And according to our own survey, issued in tandem with Wakefield, 60% of respondents currently use a digital payment scheme.
Click to Tweet: Looking Ahead to #Money2020 bit.ly/2eCYSlj pic.twitter.com/qWg5rHBA2F
Last year’s conference was marked by some pretty big announcements from legacy firms. Chase unveiled Chase Pay; Nasdaq demonstrated Linq; and MasterCard revealed it was working with chip manufacturers to help companies integrate contactless payments capabilities into wearables and IoT devices in general. This year, I expect to see similarly splashy rollouts, but with a bit more pragmatism thrown in. Mobile payments are hyped (and for a good reason) but the mobile payments ecosystem is still quite nascent and exploiting the use of mobile in general commerce is still developing. Fortunately, this means the opportunities mobile offers are pretty tremendous.
Digital Payment Trends + What They Mean for Security
As I noted in a previous blog, one of the great advantages of mobile payments is that they can bring more security into the payments landscape, through the use of dynamic data for transactions, as well as improved authentication. An example of these is the use of encryption for transaction cryptograms, GPS for location verification, and biometrics for identification.
In order to fully leverage mobile devices for payments, and commerce in general, sensitive data needs to be protected as it is routed across untrusted networks. In addition, the mobile devices themselves need a level of trust which will vary depending on device capabilities (e.g. presence of a secure element). The best way to accomplish this is through the use of cryptography in general and encryption technology. Although one might logically assume that the existence of sensitive data in uncontrolled devices and passage of that data through untrusted conduits is riskier, it actually (provided the right security foundation and infrastructure is in place) can create a richer and more efficient user experience without compromising security. For more information on the topic, please refer to Peter’s recent blog cited above.
This year, I’m particularly keen to discuss developments in the purchasing experience and the use of digital payments. By this, I mean payments no longer being a separate part of one’s physical shopping experience and embedded in the merchant application. Uber is a classic example. Walmart Pay is a different type of example where the cash register at the store displays a QR code which is scanned by shoppers to pay over their phones. This approach not only leverages a merchant’s mobile application, it also enables more digital options (e.g. electronic receipts) for the consumer as well as more flexibility in payment options for the merchant, without impact to the physical store environment. More reliance on the consumer’s device for the overall commerce experience also increases how security strategies are defined and deployed to avoid fraud (presumably the store only receives indication that payment has been made, not the actual payment information that it can verify).
Another area of interest to me is the leveraging of direct debit from one’s bank account, versus using debit, or credit, through a physical, or virtual, card. Work by the Federal Reserve Bank and NACHA on ‘real-time payments’ will increase opportunities and capabilities for the use of direct debits. Currently, mobile devices are driving flexibility for merchants. At some point, we can expect them to determine whether they still need cards to serve as a conduit for payments. This scenario raises a host of security-related questions, such as, who bears the fraud burden? How is stored bank account information being protected? How is the consumer authenticated? How are fund transfers approved?
Lastly, I’m looking forward to probing the impact of Open APIs and what they mean for the market as a whole (although I’m getting a bit ahead of myself, as this topic is currently more appropriate for the next Money 20/20 Europe). Last year’s Money 20/20 Europe conference featured a ‘Planet of the APIs’ panel, which discussed how a new regulation mandates financial services providers across the EU provide access to their customers' payment accounts for free to any licensed entity. In the words of payments consultant Killian Clifford, “The risk of disintermediation of banks from their customers is real, and this is exercising the minds of both compliance and strategy departments across the industry.” This topic opens a world of possibilities for consumer services such as the potential of a single application consolidating banking information from different providers, bills from service providers, merchant accounts, etc. But of course there are also ramifications from a security perspective such as ‘who’ is authorized to have access to the various providers and ‘how’ is the information protected and authenticated to mention a few.
Digital Payments as a Business Enabler
Digital commerce and payments are business enablers because they allow companies to cut costs, middlemen, and speed up the transaction process. Consumers can also benefit with simpler and more customized services. With this in mind, I believe the digital security conversation is most effective when it focuses on trends. After all, digital commerce and payments are here to stay and mobile devices will be a key part of delivery. This is inarguable. Instead of chafing against the unknown, security vendors must work with digital service providers to ensure data is protected and only accessible by those authorized to do so – without stymying efficiency and convenience.
Interested in learning more? Check out our webinar, Innovation and Security in the Digital Payments World, or email me at jose.diaz@thalesesec.com.